Search...

scan for LaBrea tarpitted hosts

2005-11-03T00:00:00

ID OPENVAS:10796
Type openvas
Reporter This script is Copyright (C) 2001 by John Lampe
Modified 2017-12-15T00:00:00

Description

This script performs a labrea tarpit scan, by sending a bogus ACK and ACK-windowprobe to a potential host. It also sends a TCP SYN to test for non-persisting labrea machines.

                                        
                                            # OpenVAS Vulnerability Test
# $Id: labrea.nasl 8145 2017-12-15 13:31:58Z cfischer $
# Description: scan for LaBrea tarpitted hosts
#
# Authors:
# John Lampe...j_lampe@bellsouth.net
#
# Copyright:
# Copyright (C) 2001 by John Lampe
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "This script performs a labrea tarpit scan, by
sending a bogus ACK and ACK-windowprobe to a potential
host.  It also sends a TCP SYN to test for non-persisting
labrea machines.";

if(description)
{
 script_id(10796);
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
 script_version("$Revision: 8145 $");
 script_tag(name:"last_modification", value:"$Date: 2017-12-15 14:31:58 +0100 (Fri, 15 Dec 2017) $");
 script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
 script_tag(name:"cvss_base", value:"0.0");
 name = "scan for LaBrea tarpitted hosts";
 script_name(name);



 script_category(ACT_SCANNER);
  script_tag(name:"qod_type", value:"remote_active");


 script_copyright("This script is Copyright (C) 2001 by John Lampe");
 family = "Port scanners";
 script_family(family);
 script_dependencies("ping_host.nasl");
 script_tag(name : "summary" , value : tag_summary);
 script_exclude_keys("keys/TARGET_IS_IPV6");
 exit(0);
}


if(TARGET_IS_IPV6())exit(0);
include('global_settings.inc');

# Labrea only answers to TCP probes
if (get_kb_item('/tmp/ping/ICMP') )
{
 debug_print('Host answered to ICMP or UDP probes - cannot be "tar pitted"\n');
 exit(0);
}

src = this_host();
dst = get_host_ip();
sport=3133;
dport=rand() % 65535;
init_seq=2357;
init_ip_id = 1234;
filter = string("src port ", dport, " and src host ", dst);
myack = 0xFF67;
init_seq = 538;
init_ip_id = 12;
winsize = 100;
flags = 0;

debug_print(level: 2, 'sport=',sport, ' - dport=',dport,'\n');

# send two ACKs with a single byte as data (probe window)
# Labrea in persist mode will ACK the packet below after the initial
# "ARP-who has" timeout (defaults to 3 seconds, hence the 2 packets)

for (q=0; q&lt;2; q = q + 1) {
    ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
                         ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
                         ip_src:this_host());

    tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
                          th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
                          th_x2:0, th_off:5, th_win:2048, th_urp:0, data:"H");



    reply =  send_packet(pcap_active : TRUE,
                        pcap_filter : filter,
                        pcap_timeout : 3,
                        tcp);
}


if(!reply)exit(0);



winsize = get_tcp_element(tcp:reply, element:"th_win");
flags = get_tcp_element(tcp:reply, element:"th_flags");

# don't know when this would be true...but adding it nonetheless
if (flags & TH_RST) {
    exit(0);
}



if ( (winsize &lt;= 10) && (flags & TH_ACK) ) {
      set_kb_item( name:"Host/dead", value:TRUE );
      exit(0);
}




# now handle LaBrea in non-persist mode

    winsize = 100;
    flags = 0;

    ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
                         ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
                         ip_src:this_host());

    tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
                          th_flags:TH_SYN, th_seq:init_seq,th_ack:0,
                          th_x2:0, th_off:5, th_win:2048, th_urp:0);



    reply2 =  send_packet(pcap_active : TRUE,
                        pcap_filter : filter,
                        pcap_timeout : 5,
                        tcp);


    winsize = get_tcp_element(tcp:reply2, element:"th_win");
    flags = get_tcp_element(tcp:reply2, element:"th_flags");
    if ( (flags & TH_ACK) && (flags & TH_SYN) && (winsize == 10) ) {
        set_kb_item( name:"Host/dead", value:TRUE );
        exit(0);
    }

exit(0);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:10796", "type": "openvas", "bulletinFamily": "scanner", "title": "scan for LaBrea tarpitted hosts", "description": "This script performs a labrea tarpit scan, by\nsending a bogus ACK and ACK-windowprobe to a potential\nhost. It also sends a TCP SYN to test for non-persisting\nlabrea machines.", "published": "2005-11-03T00:00:00", "modified": "2017-12-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://plugins.openvas.org/nasl.php?oid=10796", "reporter": "This script is Copyright (C) 2001 by John Lampe", "references": [], "cvelist": [], "lastseen": "2017-12-18T10:58:39", "viewCount": 0, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2017-12-18T10:58:39", "rev": 2}, "dependencies": {"references": [], "modified": "2017-12-18T10:58:39", "rev": 2}, "vulnersScore": -0.3}, "pluginID": "10796", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: labrea.nasl 8145 2017-12-15 13:31:58Z cfischer $\n# Description: scan for LaBrea tarpitted hosts\n#\n# Authors:\n# John Lampe...j_lampe@bellsouth.net\n#\n# Copyright:\n# Copyright (C) 2001 by John Lampe\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This script performs a labrea tarpit scan, by\nsending a bogus ACK and ACK-windowprobe to a potential\nhost. It also sends a TCP SYN to test for non-persisting\nlabrea machines.\";\n\nif(description)\n{\n script_id(10796);\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:N\");\n script_version(\"$Revision: 8145 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-15 14:31:58 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"0.0\");\n name = \"scan for LaBrea tarpitted hosts\";\n script_name(name);\n\n\n\n script_category(ACT_SCANNER);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n\n script_copyright(\"This script is Copyright (C) 2001 by John Lampe\");\n family = \"Port scanners\";\n script_family(family);\n script_dependencies(\"ping_host.nasl\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_exclude_keys(\"keys/TARGET_IS_IPV6\");\n exit(0);\n}\n\n\nif(TARGET_IS_IPV6())exit(0);\ninclude('global_settings.inc');\n\n# Labrea only answers to TCP probes\nif (get_kb_item('/tmp/ping/ICMP') )\n{\n debug_print('Host answered to ICMP or UDP probes - cannot be \"tar pitted\"\\n');\n exit(0);\n}\n\nsrc = this_host();\ndst = get_host_ip();\nsport=3133;\ndport=rand() % 65535;\ninit_seq=2357;\ninit_ip_id = 1234;\nfilter = string(\"src port \", dport, \" and src host \", dst);\nmyack = 0xFF67;\ninit_seq = 538;\ninit_ip_id = 12;\nwinsize = 100;\nflags = 0;\n\ndebug_print(level: 2, 'sport=',sport, ' - dport=',dport,'\\n');\n\n# send two ACKs with a single byte as data (probe window)\n# Labrea in persist mode will ACK the packet below after the initial\n# \"ARP-who has\" timeout (defaults to 3 seconds, hence the 2 packets)\n\nfor (q=0; q<2; q = q + 1) {\n ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,\n ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,\n ip_src:this_host());\n\n tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,\n th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,\n th_x2:0, th_off:5, th_win:2048, th_urp:0, data:\"H\");\n\n\n\n reply = send_packet(pcap_active : TRUE,\n pcap_filter : filter,\n pcap_timeout : 3,\n tcp);\n}\n\n\nif(!reply)exit(0);\n\n\n\nwinsize = get_tcp_element(tcp:reply, element:\"th_win\");\nflags = get_tcp_element(tcp:reply, element:\"th_flags\");\n\n# don't know when this would be true...but adding it nonetheless\nif (flags & TH_RST) {\n exit(0);\n}\n\n\n\nif ( (winsize <= 10) && (flags & TH_ACK) ) {\n set_kb_item( name:\"Host/dead\", value:TRUE );\n exit(0);\n}\n\n\n\n\n# now handle LaBrea in non-persist mode\n\n winsize = 100;\n flags = 0;\n\n ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,\n ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,\n ip_src:this_host());\n\n tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,\n th_flags:TH_SYN, th_seq:init_seq,th_ack:0,\n th_x2:0, th_off:5, th_win:2048, th_urp:0);\n\n\n\n reply2 = send_packet(pcap_active : TRUE,\n pcap_filter : filter,\n pcap_timeout : 5,\n tcp);\n\n\n winsize = get_tcp_element(tcp:reply2, element:\"th_win\");\n flags = get_tcp_element(tcp:reply2, element:\"th_flags\");\n if ( (flags & TH_ACK) && (flags & TH_SYN) && (winsize == 10) ) {\n set_kb_item( name:\"Host/dead\", value:TRUE );\n exit(0);\n }\n\nexit(0);\n\n\n\n", "naslFamily": "Port scanners"}